redline | 5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe
Size

1.3MB
MD5

24cca2a9f98862f05d8ec923d854eb41
SHA1

81df5fb2dfbaf33eeb4c18d6c73bbf531c3434fd
SHA256

5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e
SHA512

79a7c41d16282a2ad9518b00ea15cc01c6aec40a727fa0154f221ce76783a72bbefd355b655f384d24591b253173284d46994d376c9fc51b549ec82461cdb96b
SSDEEP

24576:cy5jD+g4kFvov3p8KuYWCI6T/vVoFLjnFjXp8Q8V:L1D4wc8G15TXVULj958r

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3460-205-0x0000000008280000-0x0000000008898000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n7038952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n7038952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n7038952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n7038952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n7038952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n7038952.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2284	z4444086.exe
1996	z7293975.exe
1480	z9160507.exe
4460	n7038952.exe
3460	o4266009.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n7038952.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n7038952.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4444086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4444086.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7293975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7293975.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9160507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9160507.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	4460	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	n7038952.exe
4460	n7038952.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	n7038952.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2284	1964	5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe	87
PID 1964 wrote to memory of 2284	1964	5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe	87
PID 1964 wrote to memory of 2284	1964	5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe	87
PID 2284 wrote to memory of 1996	2284	z4444086.exe	88
PID 2284 wrote to memory of 1996	2284	z4444086.exe	88
PID 2284 wrote to memory of 1996	2284	z4444086.exe	88
PID 1996 wrote to memory of 1480	1996	z7293975.exe	89
PID 1996 wrote to memory of 1480	1996	z7293975.exe	89
PID 1996 wrote to memory of 1480	1996	z7293975.exe	89
PID 1480 wrote to memory of 4460	1480	z9160507.exe	90
PID 1480 wrote to memory of 4460	1480	z9160507.exe	90
PID 1480 wrote to memory of 4460	1480	z9160507.exe	90
PID 1480 wrote to memory of 3460	1480	z9160507.exe	100
PID 1480 wrote to memory of 3460	1480	z9160507.exe	100
PID 1480 wrote to memory of 3460	1480	z9160507.exe	100

C:\Users\Admin\AppData\Local\Temp\5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe
"C:\Users\Admin\AppData\Local\Temp\5850739931e664a83db3cccc00f089af6373d0c9eac044a5af880f9a0d3d370e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4444086.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4444086.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7293975.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7293975.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9160507.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9160507.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7038952.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7038952.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1084
        6⤵
        Program crash
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4266009.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4266009.exe
        5⤵
        Executes dropped EXE
        
        PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4460 -ip 4460
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4444086.exe

Filesize
1.1MB

MD5
a43ab70564a9e40c2702a509b1221f55

SHA1
09c616dcf57730b9bb13841bed1222fbadc98d53

SHA256
2cf46619372bb777845be8cb4a0f3cf2d94b2e178291e4fcbf6a1b37053a96c6

SHA512
856f26ac5efff6f3ec40fad2d10a4abc666fea5baf545c420ab105a7e53056e5026a5a12ccdda8aaa2f482b1cec8a11e7407740bf2f99d55085e6de6ec2cdd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4444086.exe

Filesize
1.1MB

MD5
a43ab70564a9e40c2702a509b1221f55

SHA1
09c616dcf57730b9bb13841bed1222fbadc98d53

SHA256
2cf46619372bb777845be8cb4a0f3cf2d94b2e178291e4fcbf6a1b37053a96c6

SHA512
856f26ac5efff6f3ec40fad2d10a4abc666fea5baf545c420ab105a7e53056e5026a5a12ccdda8aaa2f482b1cec8a11e7407740bf2f99d55085e6de6ec2cdd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7293975.exe

Filesize
621KB

MD5
0e52bbda4bcdce5df20eeced6f5d1186

SHA1
49565f71f1402ebb837896f3311d385a33b5c962

SHA256
e83d89d0d7af0725df81db3f6fdc91b75b5b47e1105bd05915e919b20770453a

SHA512
0430da20a3414f709ac23189295e3630d1040319aede912aebd29985e8960a640fbf60de76d293e1e99b8ac81d1a6f54d9b974726941455ee98d3b0cc906c790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7293975.exe

Filesize
621KB

MD5
0e52bbda4bcdce5df20eeced6f5d1186

SHA1
49565f71f1402ebb837896f3311d385a33b5c962

SHA256
e83d89d0d7af0725df81db3f6fdc91b75b5b47e1105bd05915e919b20770453a

SHA512
0430da20a3414f709ac23189295e3630d1040319aede912aebd29985e8960a640fbf60de76d293e1e99b8ac81d1a6f54d9b974726941455ee98d3b0cc906c790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9160507.exe

Filesize
418KB

MD5
5505dc17aef0302e4a219d55e1e54dc1

SHA1
6a91aecfd0b01659634db12169f6c641e08b56a7

SHA256
5955d38556600ea836e607056aca24d3ed7a76b3d8cd6cac77ffe01de729c71d

SHA512
973ee6d4b38823ffd314cdf00efe831f73b2b0bfb7a914108f3f2a984b2e6c52e59ddaba7efcc9f8b40dddf28bebd942b2aef9861a524e707afcee0326ec6442

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9160507.exe

Filesize
418KB

MD5
5505dc17aef0302e4a219d55e1e54dc1

SHA1
6a91aecfd0b01659634db12169f6c641e08b56a7

SHA256
5955d38556600ea836e607056aca24d3ed7a76b3d8cd6cac77ffe01de729c71d

SHA512
973ee6d4b38823ffd314cdf00efe831f73b2b0bfb7a914108f3f2a984b2e6c52e59ddaba7efcc9f8b40dddf28bebd942b2aef9861a524e707afcee0326ec6442

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7038952.exe

Filesize
361KB

MD5
66ac29b6015fe597178f3da153acafa5

SHA1
1a0bd3ae7936d9dafad10eccbecc84e0cc63efa4

SHA256
f047606d526c9cf98d61a7ea83e78ed234c68d9b1d7901475e5bca261b107835

SHA512
f535fc8c4432dba1ec95b1f68362a52658a42508f91ff413eac93c480cfaab19ebdc73264c999a22de766e60977c4b4a02c41c21461763f59da6e4514a9bd907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7038952.exe

Filesize
361KB

MD5
66ac29b6015fe597178f3da153acafa5

SHA1
1a0bd3ae7936d9dafad10eccbecc84e0cc63efa4

SHA256
f047606d526c9cf98d61a7ea83e78ed234c68d9b1d7901475e5bca261b107835

SHA512
f535fc8c4432dba1ec95b1f68362a52658a42508f91ff413eac93c480cfaab19ebdc73264c999a22de766e60977c4b4a02c41c21461763f59da6e4514a9bd907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4266009.exe

Filesize
136KB

MD5
5c186f86d0a5301ce85ec29dd462d7ff

SHA1
d0ccfe81e46cc32dbba0df7a99fc19a8d663c3dd

SHA256
9eb56011cae5b1047459577149342310910bbb07dab8eebb4ad04e3c1ca3ac07

SHA512
b1772fbc4127fff6fc6f110aadd7b9ee59dcc6d8df28fcfcc4d290885041314d4e6e04b85e3c3c2921453363ff620513c65525b8cdb6ee630cbadddeac9613f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4266009.exe

Filesize
136KB

MD5
5c186f86d0a5301ce85ec29dd462d7ff

SHA1
d0ccfe81e46cc32dbba0df7a99fc19a8d663c3dd

SHA256
9eb56011cae5b1047459577149342310910bbb07dab8eebb4ad04e3c1ca3ac07

SHA512
b1772fbc4127fff6fc6f110aadd7b9ee59dcc6d8df28fcfcc4d290885041314d4e6e04b85e3c3c2921453363ff620513c65525b8cdb6ee630cbadddeac9613f8

Download Submit
memory/3460-210-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/3460-207-0x0000000007E20000-0x0000000007F2A000-memory.dmp

Filesize
1.0MB

Download
memory/3460-206-0x0000000007CF0000-0x0000000007D02000-memory.dmp

Filesize
72KB

Download
memory/3460-205-0x0000000008280000-0x0000000008898000-memory.dmp

Filesize
6.1MB

Download
memory/3460-204-0x0000000000FE0000-0x0000000001008000-memory.dmp

Filesize
160KB

Download
memory/3460-208-0x0000000007D50000-0x0000000007D8C000-memory.dmp

Filesize
240KB

Download
memory/3460-209-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/4460-180-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-197-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-178-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-182-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-184-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-186-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-188-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-190-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-192-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-194-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-195-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4460-196-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-176-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-198-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-200-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4460-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-170-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-168-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-167-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4460-166-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-165-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-162-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/4460-164-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4460-163-0x0000000000880000-0x00000000008AD000-memory.dmp

Filesize
180KB

Download